Computer Laws Data Protection Act 1998 Computer Misuse Act 1990
Learning Objectives List the measures that must be taken in order to protect against hacking (physical and software) and viruses. Explain the need for data protection legislation and to protect confidentiality of Data. Explain how this can be addressed.
Why do we need data protection legislation? Many organisations store large amounts of personal information about people on their computer systems. This may be data on customers, employees, suppliers, competitors, etc. This may be data on customers, employees, suppliers, competitors, etc. The increasing trend to store vast quantities of such data has worried many people.
Concerns Who will be able to access this data? Will information about me be available over the Internet, and therefore vulnerable to hackers? Can my records be sold on to someone else? Is the data accurate? If it is stored, processed and transmitted by computer, who will check that it is accurate? Will data about me be stored even if it is not needed?
In order to address these concerns, the Data Protection Act (1998) was passed.
Data Protection Act 1998 Data must be obtained and processed lawfully. Data must be obtained and specified for lawful purposes. Data stored must be relevant. Data stored must be kept accurate and up to date. Data stored must be kept no longer than necessary. Data must be processed within the data subject's rights. Data must be kept secure. Data must not be transferred to countries that do not have suitable data protection laws.
Personal data should be obtained and processed fairly and lawfully. This means that you should be told that data is being collected about you, and you should know what the data will be used for.
Personal data can be held only for specified and lawful purposes. The Data Controller has to state why they want to collect and store information when they apply for permission to be able to do so. If they use the data they have collected for other purposes, they are breaking the law.
Personal data should be adequate, relevant and not excessive for the required purpose. Organisations should only collect the data that they need and no more. Your school needs to know your parent's phone number in case they need to contact them in an emergency. However, they do not need to know what your grandmother's name is, nor do they need to know your eye colour. They should not ask, nor should they store such details since this would be excessive and would not be required to help with your education.
The personal data should be accurate and kept up-to-date. Companies should do their best to make sure that they do not record the wrong facts about a data subject. Your school probably asks your parents to check a form once a year to make sure that the phone number and address on the school system is still correct. If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect.
The personal data should not be kept for longer than is necessary for the purpose for which it is collected. Organisations should only keep personal data for a reasonable length of time. Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on. However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants.
Data must be processed in accordance with the rights of the data subjects. People have the right to inspect the information held on them (except in certain circumstance - see later). If the data being held on them is incorrect, they have the right to have it changed.
Appropriate security measures must be taken against unauthorised access. This means information has to be kept safe from hackers and employees who don't have rights to see it. Data must also be safeguarded against accidental loss.
Personal data cannot be transferred to countries outside the European Union unless the country provides an adequate level of protection. This means that if a company wishes to share data with an organisation in a different country, that country must have similar laws to our Data Protection Act in place.
Exemptions National Security CrimeTaxation Heath, Education and Social Work Personal data about the physical or mental health of the data subject. Personal data about the physical or mental health of the data subject. Personal data being processed by government departments or local authorities which is being used in the course of any investigation or monitoring. being processed by government departments or local authorities which is being used in the course of any investigation or monitoring. That could form part of a confidential reference (application for employment or a college course etc) That could form part of a confidential reference (application for employment or a college course etc)
Computer Misuse Act 1990 This law was devised to reduce the activity of hackers, with these 3 main points: It is illegal to access unauthorised data. It is illegal to access unauthorised data. It is illegal to access unauthorised data and intend to do it again. It is illegal to access unauthorised data and intend to do it again. It is illegal to access unauthorised data and amend it. It is illegal to access unauthorised data and amend it.
How to protect against Hacking Physical methods: Keeping important computers in locked rooms. Keeping important computers in locked rooms. Posting security guards. Posting security guards. Security locks, smart cards. Security locks, smart cards. Keeping sensitive data on stand-alone machines instead of networks. Keeping sensitive data on stand-alone machines instead of networks. Using alarm systems and video cameras Using alarm systems and video cameras Software methods: Data encryption data is 'scrambled' before being transmitted through a network. Only the authorised recipient has the 'key'. Firewalls - software to block access from outside. Activity logs, passwords and levels of security.
Plenary What measures must be taken in order to protect against hacking (physical and software)?
How to protect against Hacking Physical methods: Keeping important computers in locked rooms. Keeping important computers in locked rooms. Posting security guards. Posting security guards. Security locks, smart cards. Security locks, smart cards. Keeping sensitive data on stand-alone machines instead of networks. Keeping sensitive data on stand-alone machines instead of networks. Using alarm systems and video cameras Using alarm systems and video cameras Software methods: Data encryption data is 'scrambled' before being transmitted through a network. Only the authorised recipient has the 'key'. Firewalls - software to block access from outside. Activity logs, passwords and levels of security.
Plenary Why do we need data protection legislation and protect confidentiality of Data? Concerns: Who will be able to access this data? Will information about me be available over the Internet, and therefore vulnerable to hackers? Can my records be sold on to someone else? Is the data accurate? If it is stored, processed and transmitted by computer, who will check that it is accurate? Will data about me be stored even if it is not needed?
Plenary How did the government address these concerns? It brought out the Data Protection Act 1998.